1 Topic by reno31 (edited by reno31 2017-07-24 18:30:49)

  • reno31
  • Member
  • Offline
  • Registered: 2013-07-04
  • Posts: 18

Topic: [HOW TO] Create special filter for amavis by sender

I have clients / relations thats love to send those .emf files. As they can transport javascript I've locked them but, since no one on the other side is going to make a change, I modified some config to allow those files for specific user or domains.

It could be used for anything, including bypass completely amavis...

Im on debian for the path, please adusjt accordingly.

In /etc/postfix/sender_access.pcre :

# Entire domain filtering
/domain\.tld/ FILTER smtp-amavis:[127.0.0.1]:10027 
# Sub domain filtering
/.domain.tld/ FILTER smtp-amavis:[127.0.0.1]:10027 
# Specific email filtering
/lastname\.name@domain\.tld/ FILTER smtp-amavis:[127.0.0.1]:10027

So in this file we say that domain.tld, *.domain.tld and lastname.name@domain.tld goes to a new amavis filter.
You could have on filter by line if you want.
If you want to bypass totaly amavis you have to set 10025, so postfix will sent the mail to itself.

in /etc/amavis/conf.d/50-user :
Add at the bottom, defore the 1; # insure a defined return

%banned_rules = (
    'ALLOW_WMF' => new_RE(
        # qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

        # block certain double extensions anywhere in the base name
        qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

        qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict

        qr'^application/x-msdownload$'i,                  # block these MIME types
        qr'^application/x-msdos-program$'i,
        qr'^application/hta$'i,

        # qr'^application/x-msmetafile$'i,      # Windows Metafile MIME type
        # qr'^\.wmf$',                          # Windows Metafile file(1) type

        # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

        # [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
        # [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
        # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
        # [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives

        #  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
         qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|exe|fxp|grp|hlp|hta|
                inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
                ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|docm|
                wsc|wsf|wsh)$'ix,  # banned ext - long

        # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

          qr'^\.(exe-ms)$',                       # banned file(1) types
        # qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
        ),
        # See [url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631[/url]
        # and [url]http://www.cknow.com/vtutor/vtextensions.htm[/url]
    'DEFAULT' => $banned_filename_re,
);


$interface_policy{'10027'} = 'ALLOWWMF';

$policy_bank{'ALLOWWMF'} = {
 banned_filename_maps => ['ALLOW_WMF'],
};

Here in the %banned_rules we defined 'ALLOW_WMF' and 'DEFAULT'.
'ALLOW_WMF' is a simple copy of $banned_filename_re from the file 20-debain_defaults, striped of the wmf and emf extension files.
'DEFAULT' take back the $banned_filename_re from previous files.

Following the is the new interface (10027) and his name (ALLOWWMF)

After is defined the policy for this interface, where we specify what we want to lock.

One more in this file at the top you must modify the $inet_socket_port : 

# listen on multiple TCP ports. 9998 is used for releasing quarantined mails.
$inet_socket_port = [10024, 10026, 9998, 10027];

The 10027 port number, or more if you choose to do more.

There is no question, but if you have modification for more simplification, leave a reply.

Thanks.

EDIT : In the %banned_rules (witch must be after banned_filename_re = ) you can only put the changes, by default it load the default conf, and apply policy on top of the original one.

so :

%banned_rules = (
    'ALLOW_WMF' => new_RE(
       qr'^application/x-msmetafile$'i => 0,      # Windows Metafile MIME type
       qr'^\.wmf$' => 0,                          # Windows Metafile file(1) type
    ),
    'DEFAULT' => $banned_filename_re,
);

$interface_policy{'10027'} = 'ALLOWWMF';

$policy_bank{'ALLOWWMF'} = {
 banned_filename_maps => ['ALLOW_WMF'],
};

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.